Privacy Policy

Last updated: 14 February 2026

1. Data Controller

The data controller responsible for your personal data is:

Stephen Hood

8 Five Acres, Stoke Holy Cross, Norfolk, NR14 8UF, United Kingdom

Email: riskdeskinfo@gmail.com

2. What Data We Collect

We collect only the minimum data necessary to provide the RiskDesk service. The data we process depends on which features you use:

a) License Activation

When you activate your license key, the key is validated against the Gumroad API. We store a masked version of the key (first 8 characters only) alongside an anonymous device identifier for telemetry purposes. We do not collect your name, email, or payment details during activation — that data is held by Gumroad under their own privacy policy.

b) Cloud Database Sync (Optional)

If you choose to enable Cloud Database sync, we collect your email address for the sole purpose of authenticating your account via a one-time verification code (OTP). Your email is stored by our authentication provider (Supabase) and is used only to identify your account and send verification codes. Your trading data (logs, journal entries, account settings, and chart images) is stored in a Supabase-hosted database located in a UK datacentre, encrypted in transit (TLS) and at rest (AES-256), with per-user isolation.

c) Google Cloud Sync (Optional)

If you choose Google Cloud Sync, your data is synced to your own Google Drive via a script you deploy and control. We have no access to this data whatsoever.

d) Local Mode (Default)

By default, all your data is stored entirely on your device in the browser's local storage and IndexedDB. No data leaves your device. We cannot see, access, or recover it.

e) Telemetry

We send a single anonymous telemetry ping when the app loads, containing: a random device ID (generated locally), a masked licence key (first 8 characters), and the app version. This data contains no personally identifiable information and is used solely to track active installations for development prioritisation.

f) API Keys

Your third-party API keys (Alpaca, Finnhub) are stored locally on your device only. They are never uploaded to any cloud service, including our Cloud Database.

3. Legal Basis for Processing

Under the UK GDPR, we process your personal data on the following lawful bases:

  • Contract performance (Article 6(1)(b)): Processing your licence key is necessary to provide you with access to the software you purchased.
  • Consent (Article 6(1)(a)): Processing your email address for Cloud Database sync only occurs when you actively choose to enable this feature and enter your email.
  • Legitimate interest (Article 6(1)(f)): Anonymous telemetry data to understand product usage and prioritise development. You can identify and block this request using browser developer tools if you wish.

4. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data only with the following processors, strictly as required to provide the service:

Provider Purpose Data Shared Location
Gumroad Licence validation Licence key USA
Supabase Cloud DB authentication & storage Email, trading data, images UK
Google Google Cloud Sync (user-deployed) Trading data (user-controlled) User's Google account region
Google Apps Script Anonymous telemetry Device ID, masked key, version USA

Where data is transferred outside the UK (e.g. to Gumroad in the USA), this is covered by appropriate safeguards under UK GDPR including the provider's Standard Contractual Clauses and/or UK adequacy decisions.

5. Data Retention

  • Local data: Retained until you clear your browser cache or use the Factory Reset function within the app.
  • Cloud Database data: Retained until you delete it via Settings ("Delete all my cloud data") or request deletion by contacting us. Your Supabase auth session expires after 90 days of inactivity.
  • Telemetry data: Retained indefinitely in aggregate form. It contains no personal data.
  • Google Drive data: Managed entirely by you within your own Google account.

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate personal data.
  • Right to erasure: Request deletion of your personal data. For Cloud DB users, you can do this directly from Settings or by contacting us.
  • Right to restrict processing: Request that we limit how we use your data.
  • Right to data portability: Receive your data in a structured, machine-readable format. The Backup Data function in Settings exports your complete dataset as JSON.
  • Right to withdraw consent: You can disconnect from Cloud Database sync at any time from Settings, which stops all further data processing.

To exercise any of these rights, email privacy@riskdesk.io. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies & Local Storage

RiskDesk does not use tracking cookies or third-party analytics cookies. We use browser localStorage and IndexedDB exclusively for application functionality — storing your settings, trade data, and chart images locally on your device. The Supabase authentication token is stored in localStorage to keep you logged in. No advertising or analytics cookies are used.

8. Children's Privacy

RiskDesk is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

9. Security

We implement appropriate technical measures to protect your data, including TLS encryption for all data in transit, AES-256 encryption at rest for cloud-stored data, per-user data isolation, and passwordless authentication via one-time codes to eliminate credential theft risks. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will be revised accordingly. For material changes, we will provide notice within the RiskDesk application. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us

For any questions about this Privacy Policy or to exercise your data rights, please contact:

Stephen Hood

Email: privacy@riskdesk.io

8 Five Acres, Stoke Holy Cross, Norfolk, NR14 8UF, United Kingdom